Hi!
I am playing with PostgreSQL TLS/SSL connections using OpenSSL, with server and client certificates.
I managed to establish the secure connection, by using DN=root.strasbourg.4js.com for the self-signed root CA, and DN=toro.strasbourg.4js.com for the server certificate, DN=pgsuser for the client certificate.
I have created my client certificate by using the root CA.
pg_hba.conf:
hostssl all pgsuser toro.strasbourg.4js.com md5 clientcert=verify-ca
Server and client are on the same Debian 11 machine.
It works, if I comment out the /etc/hosts line set by Debian Linux for my host name:
# 127.0.1.1 toro.strasbourg.4js.com toro
The name "toro" is then resolved to the IP address provided by my DHCP server:
root@toro:~# host toro
toro.strasbourg.4js.com has address 10.0.40.61
root@toro:~# host toro.strasbourg.4js.com
toro.strasbourg.4js.com has address 10.0.40.61
However, if I put the 127.0.1.1 line back in /etc/hosts, re-create all certificates (is this actually needed? I guess no), restart the PostgreSQL server, I get this error:
$ psql 'postgresql://toro.strasbourg.4js.com:5437/test1?user=pgsuser&sslmode=verify-ca&sslrootcert=./root.crt&sslcert=./client.crt&sslkey=./client.key'
psql: error: connection to server at "toro.strasbourg.4js.com" (127.0.1.1), port 5437 failed: FATAL: no pg_hba.conf entry for host "127.0.0.1", user "pgsuser", database "test1", SSL encryption
What looks strange to me in this error is that first it mentions 127.0.1.1 (ok) but then, 127.0.0.1
What am I missing here?
Thanks!
Seb